feat(ory): OIDC group-to-team mapping, social login, Gitea OIDC-only mode

Identity permissions flow from Kratos metadata_admin.groups through Hydra ID token claims to Gitea's OIDC group-to-team mapping: - super-admin → site admin + Owners + Employees teams - employee → Owners + Employees teams - community → Contributors team (social sign-up users) Kratos: Discord + GitHub social login providers, community identity schema, OIDC method enabled with env-var credential injection via VSO. Gitea: OIDC-only login (no local registration, no password form), APP_NAME, favicon, auto-registration with account linking. Also: messages-mta-in recreate strategy + liveness probe for milter.
2026-03-27 17:46:11 +00:00
parent 33f0e44545
commit 97628b0f6f
5 changed files with 136 additions and 0 deletions
--- a/base/ory/vault-secrets.yaml
+++ b/base/ory/vault-secrets.yaml
@@ -157,3 +157,51 @@ spec:
          text: "{{ index .Secrets \"s3-access-key\" }}"
        s3-secret-key:
          text: "{{ index .Secrets \"s3-secret-key\" }}"
+---
+# Discord OAuth2 credentials for Kratos social sign-in.
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: kratos-social-discord
+  namespace: ory
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: kratos-social-discord
+  refreshAfter: 30s
+  destination:
+    name: kratos-social-discord
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        client-id:
+          text: "{{ index .Secrets \"client-id\" }}"
+        client-secret:
+          text: "{{ index .Secrets \"client-secret\" }}"
+---
+# GitHub OAuth2 credentials for Kratos social sign-in.
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: kratos-social-github
+  namespace: ory
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: kratos-social-github
+  refreshAfter: 30s
+  destination:
+    name: kratos-social-github
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        client-id:
+          text: "{{ index .Secrets \"client-id\" }}"
+        client-secret:
+          text: "{{ index .Secrets \"client-secret\" }}"